IN THIS ISSUE:

• Executive Director’s Message
• CSIA Rolls Out Agenda for the Next Administration
• Juniper's Infranet Vision
• CSIA Member Spotlight – Juniper Networks
• Nominate the Next Public Policy Award Winner!
• Legislative Update
• Congressional Spotlight – Representative Zoe Lofgren
• CSIA in the News
• Upcoming Events
• New CSIA Members

Executive Director’s Message

by Paul Kurtz, CSIA Executive Director

We the People of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.”
–Preamble, U.S. Constitution

Since 9-11, government and the private sector have struggled to define respective roles and responsibilities in protecting the Homeland, including securing cyberspace. The answers hold real-world consequences with respect to resources and potential liability.

The Preamble of the U.S. Constitution states that the Federal government is to “provide for the common defence.” The security of cyberspace presents a challenge, given that the private sector owns and operates the vast majority of the information infrastructure and that the Internet is borderless, challenging state, national, and international legal norms. Federal armies cannot defend against invading or destructive bytes. So, how does the Federal government provide for the “common defense”? If you expect to find a clear answer in the following paragraphs - don’t hold your breath. The answer will evolve over time. However, CSIA does believe there are actions the Federal government can and should take over the next four years to qualitatively improve cyber security, which will help provide for the common defense.

The Cyber Security Industry Alliance presented an Agenda for the Next Administration on December 7 at the National Press Club in Washington, DC. The agenda specifies 12 concrete actions the government should take to qualitatively improve cyber security. Our agenda recognizes the importance of the President’s National Strategy to Secure Cyberspace, released in February 2003, which remains salient and timely. Our agenda is not meant to be exhaustive, and we recognize the important role of the private sector in securing the information infrastructure. We see action in each of the areas as continuing to enable the IT revolution that is driving change across all sectors of our economy.

We look forward to working with the Administration, the Congress, and others in the private sector to implement the Agenda.

Back to top

CSIA Rolls Out Agenda for the Next Administration

On December 7th at the National Press Club in Washington, D.C., CSIA released its Agenda for the Next Administration, calling on the Bush Administration and the Federal Agencies to take action to improve cyber security and enable continued innovation on the internet.

CEOs and high-level decision-makers from CSIA member firms joined Executive Director Paul Kurtz for a panel presentation of the Agenda. Art Coviello, President and CEO of RSA Security, discussed the importance of raising the profile of cyber security; Steve Solomon, Chairman and CEO of Citadel Security Software, presented issues of information sharing, threat analysis and contingency planning; Krishna Kolluri, President and General Manager of Juniper Networks, followed up on Solomon’s remarks and also discussed the importance of boosting efforts in research and development, and in security education. The discussion was rounded out by comments in support of the Agenda from Amit Yoran, former Director of the National Cyber Security Division in the Department of Homeland Security.

The Agenda, which consists of 12 important recommendations identified by the cyber security industry, was created to ensure that federal agencies follow through on the President’s National Strategy to Secure Cyberspace. The 12 points of the Agenda call on the Federal Government to:

• Dedicate an Assistant Secretary position in the Department of Homeland Security
• Urge quick ratification of the Council of Europe’s Convention on Cybercrime
• Encourage information security governance in the private sector
• Lead by example with federal procurement practices
• Close the strategic gap between government and private sector information security efforts
• Strengthen Information Sharing and Analysis Centers (ISACs)
• Establish and test a survivable Emergency Coordination network
• Direct a federal agency to track the costs associated with cyber attacks
• Increase R&D funding for cyber security
• Fund authorized responsibilities for NIST Computer Security Division and White House Office of Management and Budget
• Strengthen the federal security certification process to improve the quality of security in software
• Direct a task force to develop concrete actions that will secure digital control systems used by utilities

By acting on these recommendations, the Administration will be working to further protect the nation against cyber threats. In addition, they will serve to strengthen the collaboration between federal agencies and the private sector on information security issues. "I think we've raised the profile, but I don't think we got the support within the administration that we should have," said Art Coviello of RSA Security. "All of these (recommendations) should be done and be done quickly."

“CSIA is committed to working with the administration to act on the President’s National Strategy to Secure Cyberspace in a collaborative effort to improve cyber security across the public and private sectors,” said John W. Thompson, Chairman and Chief Executive Officer of Symantec and Chairman of the CSIA. “We face serious threats and vulnerabilities to the national information infrastructure that must be met head on with strong leadership by our administration.”

For additional information, see:

White Paper on the Agenda for the Next Administration

Press release announcing the Agenda for the Next Administration

Photographs from the Rollout Event for the Agenda for the Next Administration

Back to top

Juniper's Infranet Vision

The Internet has flourished in recent years because it provides widespread connectivity at a relatively low cost. Even so, the Internet in its current state has some major drawbacks, including marginal performance, low value, unreliability, and perhaps most importantly, a lack of security.

Network security breaches are escalating in number and complexity. Security breaches are on track to grow 600% from 2000 levels (source: CERT Coordination Center). In order for business, government, and consumers to entrust their mission-critical data and personal information to the public network, it must play a fundamental role in securing transmission and filtering attacks.

Today’s challenges cannot be solved by conventional private or public networking approaches. At Juniper, we see the solution as neither a public Internet nor a private network infrastructure; it is instead the best of both.

The solution is an infranet. An infranet is a move away from closed networks and proprietary solutions to selectively open networks and industry collaboration. An infranet is a way to give each business and user a unique slice of a secure public infrastructure and to change user expectation as to its value, performance, predictability, and perhaps most importantly, security. It is a way for businesses and consumers to select and be billed for the range of services and level of experience that is right for them.

An infranet, as envisioned by Juniper and the other members of the Infranet Initiative Council, is comprised of three fundamental building blocks:

• Expected experience driven by the user’s application: ‘User Request” enables users to automatically get the experience they require, based on the application they are using. The application dynamically requests the level of security, quality and bandwidth it requires from the network.
• Predictability throughout the network: ‘Assured Deliver’ provides a network foundation to ensure that services are delivered throughout the network with the specifications required by the User Request.
• Realistic implementation for next-generation mass-market communication: Carrier connections are required to make global services economically viable and to deliver the true value of the networked community. Just as the industry has developed successful carrier connections for voice and mobile networks, the same must be done on the public network.

Infranets will be built independently by each service provider and will be interconnected. Over time, a new global meta-network will emerge, similar in some respects to today’s PSTN and Internet, yet built to deliver a very different set of applications and with very different user expectations about its capabilities and value.

The benefits of an infranet are commensurate with the magnitude of the problems it solves.

• A secure and predictable public network means that enterprises and governments will be able to reap the full benefits of Web-enabling their businesses - benefits that dramatically impact the bottom line. In addition, organizations will be able to leverage productivity enhancements inherent in the rapidly growing area of machine-to-machine communications.
• Consumers and enterprises will achieve a confidence level in network security that is critical to the growth of the online economy. Widespread content distribution over the public network will become more viable and less costly by using infranets to deliver a quality experience. Service providers can match network quality and pricing with the required user experience.
• Infranets will unlock true person-to-person next-generation communication. A small business may opt to pay for a high-quality conference with a client while friends may share pictures in real time via a digital camera phone.

As an industry, we understand that the success of the infranet model will rely upon developing inter-carrier connections that can support a wide range of automatic application delivery between networks. These inter-carrier connections must be able to provide the following:

• The ability for premise equipment and end applications to communicate quality, security, and bandwidth requirements to the network so that users get their expected experience.
• The ability for networks to communicate applications-appropriate levels of service and security when handing off traffic and to implement those service levels when receiving traffic.
• Accounting mechanisms that will enable carriers to bill each other for traffic handed off between their networks.
• Appropriate interfaces that meet regulatory requirements by allowing regulated networks to signal and communicate fairly and consistently with unregulated networks.

Industry participants must collaborate to develop required specifications and sponsor them to the appropriate standards bodies for ratification.

At Juniper, we believe that no one company can build the basic infranet structure. An infranet requires a fundamental shift from closed networks to vender and carrier cooperation. We firmly believe that industry collaboration is the only way to build the network of the future that will benefit all parties; service providers, vendors, content providers, businesses and consumers.

Infranet Initiative Council Members include:

Back to top

Nominate the Next Public Policy Award Winner!

Each year, the RSA Conference presents awards for excellence in a variety of categories. For 2005, the award for public policy is co-sponsored by the Cyber Security Industry Alliance. Entries will be judged by CSIA members and Executive Director Paul Kurtz will present the award to the recipient(s).

The RSA Conference Award for Public Policy is designed to recognize significant contribution and leadership in the field of cyber security public policy. The judging committee seeks to reward nominees who hold elected or appointed office, are associated with public interest organizations, or are associated with an organization that has significantly contributed to the development or application of current information security and/or privacy policy.

CSIA newsletter readers are welcome and encouraged to submit nominations for the Award.

To submit your nominee(s), go to: http://2005.rsaconference.com/us/general/awards_form.aspx.

Past recipients include:
Robert Bennett
U.S. Senator, Utah

Sherwood Boehlert
U.S. Representative, New York

Tom Davis
U.S. Representative, Virginia

NIST Advanced Encryption Standard Committee

Ed Gillespie and Jack Quinn
Executive Director and Co-Chairman of Americans for Com

For more information on the RSA Conference Award for Public Policy, visit: http://2005.rsaconference.com/us/general/awards_previous.aspx

Back to top

Legislative Update

H.R. 10/S.2845 - The National Intelligence Reform Act of 2004

The National Intelligence Reform Act of 2004, which includes recommendations from the 9/11 Commission Report, was signed by President Bush on Dec. 17. The law amended the Clinger-Cohen Act to include cyber security as a requirement for systems planning and acquisition by agencies. The law, however, did not contain the provision creating an Assistant Secretary for Cyber Security in the Department of Homeland Security.

Congressional supporters of the provision indicated that an Assistant Secretary position will be a priority for them in the 109th Congress. CSIA will work with both the Administration and the 109th Congress to ensure an Assistant Secretary position is created at DHS.

Back to top

Congressional Spotlight

Representative Zoe Lofgren

Born: San Mateo, California, December 21, 1947
Elected: 1994 (will begin sixth term in January 2005)
Committee Assignments: House Select Committee on Homeland Security: Ranking Member, Subcommittee on Cybersecurity, Science, Research & Development; Subcommittee on Rules; House Judiciary Committee: Subcommittee on the Courts; The Internet and Intellectual Property Subcommittee; Subcommittee on Immigration and Claims; House Committee on Science: Subcommittee on Research; Subcommittee on Environment, Technology and Standards

Education: Stanford University, B.A. 1970 (Political Science); University of Santa Clara School of Law, J.D., cum laude, 1975

Career: Staff Assistant to Congressman Don Edwards; worked on impeachment proceedings, the Equal Rights Amendment, and creation of the Don Edwards National Wildlife Refuge in the South San Francisco Bay; Lawyer; Law Professor; Served on Santa Clara County Board of Supervisors, 1981-1994.

Notable: Introduced legislation to accelerate the development of fusion as a long-term energy source, which was included in the comprehensive House energy bill (H.R. 4); successfully fought to initiate the “e-rate” that provides affordable Internet access for schools, libraries, and rural health centers; served as Democratic floor manager for the 21st Century Patent Improvement Act; initiated the SAFE Act to ease export control on encryption; TechNet Founder’s Circle Award, May 2000; named “Cyber Champion” by Business Software Alliance; named “Congressional Leader” by Semiconductor Industry Association and presented with the Congressional Leadership Award in 1998; dubbed “Leader of the Pack” on high-tech issues by C/Net News.com; named one of Top 10 high-tech supporters in Congress by Tech Law Journal.

Congresswoman Zoe Lofgren has consistently been recognized as a leader of high tech issues since she was first elected to Congress in 1994. As Representative of California’s 16th District, which includes the Silicon Valley, high tech issues are on her doorstep every day. The list of initiatives, programs, and legislation she has sponsored and co-sponsored for the benefit of the high tech industry is staggering.

In the 105th Congress, she worked with Rep. Bob Goodlatte (R-VA), co-sponsoring the Safety and Freedom through Encryption Act (SAFE). This legislation guaranteed all Americans the right to use any encryption product, without key escrow, and loosened export restraints. Although the bill ultimately did not pass, it was met with wide support by the computer and Internet industry, demonstrating Lofgren’s understanding of industry issues.

Lofgren has also led the fight to ensure that schools receive Internet access, and she is always advocating for schools and crime-prevention projects in her district. On the high-tech front, the Congresswoman played a crucial role in crafting the compromises that generated broad bipartisan support for the Biomaterials Access Assurance Act, which was passed to end the shortage of biomaterials available to medical device manufacturers. She also was a leader in securing the passage of the Securities Litigation Uniform Standards Act to apply uniform federal standards to securities litigation, and the Internet Tax Freedom Act to impose a moratorium on Internet taxes.

In 1999, the House Democratic Whip, Rep. David Bonior (D-MI), appointed Lofgren to the position of At-Large Whip for the 106th Congress. Bonior stated that she "is a strong advocate for the concerns of America's working families and has a keen understanding of high tech issues."

Congresswoman Lofgren is a member of the House Select Committee on Homeland Security, where she serves as Ranking Member on the Subcommittee on Cybersecurity, Science, Research & Development and sits on the Subcommittee on Rules. Additionally, she serves on the House Judiciary Committee’s Subcommittee on the Courts, the Internet and Intellectual Property Subcommittee and the Subcommittee on Immigration and Claims. Finally, Lofgren is a member of the House Committee on Science’s Subcommittee on Research and Subcommittee on Environment, Technology and Standards.

Congresswoman Lofgren has taken advantage of her roles on these Congressional committees to bring improvements to the high tech industry, working closely with her Republican colleagues. Of particular note, as Ranking Member of the Subcommittee on Cybersecurity, Lofgren and Chairman William “Mac” Thornberry (TX-13) have held fifteen bipartisan hearings and briefings on cybersecurity and science and technology matters during the 108th Congress. The Subcommittee reached out to diverse groups and individuals on ways to improve cybersecurity for the nation. The Subcommittee heard from private sector experts who own and operate critical information infrastructure. Federal, state, and local government officials and academic experts testified on the need to fortify the nation's cybersecurity. A variety of oversight sessions were also held on the Department of Homeland Security's role and responsibilities in helping to improve cybersecurity.

Chairman Thornberry and Ranking Member Lofgren continued their efforts by introducing two bills to enhance cybersecurity and science and technology. H.R. 5068 and H.R. 5069 focused on several cyber security issues, such as the creation of a National Cybersecurity Office, headed by an Assistant Secretary for Cybersecurity, a national response system, an awareness and training program that identifies vulnerabilities, and a grant program for institutions of higher education for the purpose of cybersecurity professional development. Although the bills never left committee, key elements from H.R. 5068 are in H.R. 10, the 9/11 Recommendations Implementation Act, which was passed on December 7, 2004.

We will continue to look to Congresswoman Lofgren’s leadership on the Subcommittee on Cybersecurity, Science, and Research & Development and her ongoing efforts to elevate awareness and make cybersecurity a top-level agenda item.

What is the biggest vulnerability we face in cybersecurity today?

Our economy and infrastructures are dependent on the durability of our computer networks and systems. This interdependence makes our economy and security vulnerable to cyber attack. We are also vulnerable to a cyber attack that is combined with a physical attack.

Unfortunately, both within and outside the government, we are not adequately prepared. Systems and technologies were, and continue to be, deployed without giving sufficient consideration to security.

The Department of Homeland Security is failing to provide the leadership necessary to protect cyberspace. This is due to the de-prioritization of cybersecurity by the current administration. Two years ago, the government's top advisor on cybersecurity sat in the White House. Today, the position is buried four levels down in the Department of Homeland Security bureaucracy.

Congressman Mac Thornberry and I listened to the experts in technology, banking, business, and academia and introduced legislation to remedy this problem by creating an Assistant Secretary of Cybersecurity. I hope we can reintroduce this bill in the coming Congress so we can make sure that the top government cybersecurity personnel has the access and authority to get the job done.

The creation of this position will also help protect our physical and converged physical-cyber infrastructures by hopefully putting experts - not bureaucrats - in charge.

Incredibly, when I recently reviewed California's list of critical assets and resources in the National Asset Database, many if not most of what should be assessed and protected had not even made it onto the list. State and local law enforcement, which are our first responders, do not even know about the lists. The Department cannot possibly conduct meaningful analysis if it is using incomplete and inaccurate data as a foundation.

What do you believe is the role of government (Executive Branch/Congress) in cybersecurity?

The U.S. Government has an important leadership role to play in the cybersecurity arena. The majority of the nation's cyber-infrastructure is in private hands.

The Department of Homeland Security must work with the private sector to identify vulnerabilities and encourage cybersecurity improvements. The Department and other parts of the Executive Branch also lead by example and secure their own systems and networks. If the government simply employed better procurement and internal security practices, it would be making significant progress. Today, government systems are so insecure that many in the private sector fear sharing information with the government lest that information be compromised.

In Congress, we must conduct vigorous oversight of the Department of Homeland Security to make sure that the job is getting done. We must also encourage the private sector - from large companies to the home-user - to make cybersecurity a priority. One way to do this is to work with the private sector in understanding insurance and incentives options that could aid in this effort.

Government also has an important role to play in research and education. Congress can assist this effort by providing sufficient funding to existing programs, especially those created by the Cybersecurity Research and Development Act.

One thing we should not do is be overly prescriptive and regulatory. The technology is moving too fast to attempt to legislate prescriptive solutions. The code writers are faster than the legislative process!

What are the responsibilities of the private sector in supplying good software? What are the responsibilities of the end user?

The old cliché: "You are only as strong as your weakest link" comes to mind. Everyone has a role to play. We are all interconnected - from the government to the producers of hardware and software to the corporate enterprise to the home user - so we must work together to protect our cyber infrastructure. I suspect that in the end we are also going to continue to have a greater involvement by ISPs relative to home user security. Indeed, the steps taken in a recent month by some ISPs to integrate AV into their services shows this trend.

As you might expect, the technology sector is generally well ahead of other parts of the economy in caring about cybersecurity. However, “Old Economy” industries are, today, as reliant on technology as the companies in Silicon Valley, my home. Yet, many of the companies in these sectors appear to be less aware than they should be about their vulnerabilities. And, of course, successful attacks against them would have quite an important and adverse impact on our American economy as a whole.

How can policy organizations, such as CSIA, be of the greatest help to the efforts of Congress?

The creation of CSIA this past year has been vital in helping to educate the public about cybersecurity. It and other policy organizations must continue these education efforts. These issues are very complex and we need to hear from the people on the front lines about the threat and the best ways to fight back. CSIA can also help Congress understand how existing federal and state laws are working in the world.

Back to top

CSIA in the News

CSIA Coverage

For Full CSIA Agenda Coverage visit: https://www.csialliance.org/news/inthenews/

Back to top

Upcoming Events

Back to top

New CSIA Members

CSIA welcomes our new members!

Charter Member:

Citrix Systems, Inc.
CEO: Mark Templeton

Emerging Security Partner:

TechGuard Security
CEO: Suzanne Joyce
Co-CEO/CTO: James Joyce

CSIA Members

Charter Members

Principal Members

Emerging Security Partner: